TL;DR

CVE-2026-5027 (CVSS 8.8) — Langflow's file-upload endpoint (POST /api/v2/files) accepts a caller-controlled filename parameter with no path sanitization. An unauthenticated attacker (Langflow auto-login is enabled by default) can write arbitrary files to arbitrary paths on the server filesystem → remote code execution. This is a distinct vulnerability from CVE-2026-33017 (the earlier flow-build RCE that reached CISA KEV). Approximately 7,000 Langflow instances were internet-facing at the time of disclosure; the flaw was being actively exploited in the wild at time of publication. Fixed in Langflow 1.10.0 (addressed in 1.9.0 on 2026-04-15).

What happened

Langflow is a popular visual drag-and-drop AI agent/workflow builder built on LangChain. It is widely deployed by vibe coders to orchestrate multi-step AI pipelines with LLM integrations, database connections, and tool calls.

In June 2026, researchers disclosed CVE-2026-5027: a path traversal vulnerability in the POST /api/v2/files endpoint. The filename field in the multipart upload request was not sanitized — an attacker could supply a filename like ../../../../../../etc/cron.d/backdoor and write content to arbitrary filesystem paths.

Why this is unauthenticated by default: Langflow ships with auto-login enabled — no credentials are required for API access unless an administrator explicitly enables authentication. The vast majority of self-hosted Langflow instances use the default configuration.

RCE path: Writing a malicious Python module to a path inside Langflow's site-packages/ directory, or overwriting a .pth file (Python path hook) in site-packages/, causes the payload to execute at Langflow's next startup or next import. Alternatively, writing to /etc/cron.d/ (Linux) achieves scheduled persistence.

Relationship to CVE-2026-33017:

CVE-2026-33017 CVE-2026-5027
Disclosed March 2026 June 2026
Endpoint Flow build/execution endpoint /api/v2/files file upload
Root cause Code injection via flow node execution Path traversal in filename parameter
CVSS 9.8 (Critical) 8.8 (High)
CISA KEV Yes No (at time of writing)
Fixed version 1.4.0 / 1.3.6 1.10.0 (addressed 1.9.0)

Both CVEs are independently exploitable and both are actively exploited in the wild. Patching for CVE-2026-33017 does not protect against CVE-2026-5027.

Scale: Approximately 7,000 Langflow instances were estimated to be internet-facing at the time of disclosure. Active exploitation indicators were reported by threat intelligence feeds.

Am I affected?

# Check your Langflow version
pip show langflow 2>/dev/null | grep Version
langflow --version 2>/dev/null

# Check if auto-login is enabled (default: true)
cat ~/.langflow/.env 2>/dev/null | grep -i auto_login
# or check the Langflow startup config

# Check if the endpoint is reachable from the internet
curl -s http://localhost:7860/api/v2/files -X OPTIONS 2>/dev/null

You are affected if: 1. You run Langflow < 1.10.0 (or < 1.9.0 if you have been patched since April 15, 2026) 2. Your Langflow instance is reachable from the public internet or from any untrusted network

If auto-login is enabled (the default), no authentication is required to exploit this.

IOCs

Type Value
CVE CVE-2026-5027
CVSS 8.8 (High)
Affected versions Langflow < 1.9.0
Fixed version Langflow 1.9.0 (2026-04-15) / 1.10.0
Vulnerable endpoint POST /api/v2/files
Attack vector filename parameter path traversal
Authentication required No (auto-login enabled by default)
Exploitation status Actively exploited in the wild
Estimated exposed instances ~7,000
Related CVE CVE-2026-33017 (distinct; both actively exploited)

If you are affected

  1. Upgrade Langflow to 1.10.0 immediately. This is the cleanest fix; 1.9.0 addressed the file-upload path traversal but 1.10.0 includes additional hardening.
  2. Treat the host as compromised if you ran Langflow < 1.9.0 while internet-facing. Assume arbitrary files were written.
  3. Audit the filesystem for unexpected files in site-packages/, /etc/cron.d/, /tmp/, or Langflow's working directory. Look for .pth files added since March 2026.
  4. Rotate all credentials accessible from the Langflow host — LLM API keys, cloud IAM credentials, database passwords, and any secrets in Langflow's configured integrations.
  5. Enable authentication in Langflow (AUTO_LOGIN=false and configure OAuth/email auth) — do not rely on network isolation alone.
  6. Firewall the port (7860 by default) — Langflow should not be directly internet-facing without a reverse proxy + authentication layer.
  7. See playbooks/rotating-cloud-credentials.md.

Prevention

  • Enable authentication: Set AUTO_LOGIN=false in Langflow's environment and configure user authentication. All vibe-coded Langflow instances should require credentials.
  • Never expose Langflow directly to the internet. Use a reverse proxy (nginx/Caddy/Cloudflare Tunnel) with authentication in front of it.
  • Pin to a release and update promptly. Langflow has had two independently-exploited CVEs in three months (March + June 2026). Subscribe to langflow-ai/langflow release notifications.
  • Treat disclosure-to-exploit as < 24 hours for any AI-framework CVE. The LiteLLM and PraisonAI baselines confirm this cadence.
  • prevention/agent-sandboxing.md

Sources